topic change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin in Getting Data In

change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

mhornste — Wed, 21 Aug 2019 12:59:48 GMT

Hi,

I'm reading data from a JMeter test. One field is either named Admin or Admin-0, Admin-1 or Admin-2. The field is named ACL

I want Splunk to index this only as Admin. As written above, there is a value Admin which should be kept but the others should be renamed to Admin (instead of Admin-0 etc.).

My props.conf already looks like this

[mySourceType]
REPORT-jmeter = REPORT-jmeter
EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),**"(?<label>[^,]*),(?<ACL>[^"]*)"**,(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

Example data:

2019/08/21 14:52:14.222,2003**,"Upload Document TXT, User-0"**,302,OK,hostname 1-1,text,true,,1234,0,1,1,https://FQDN,2003,0,0

So the above props.conf already splits two strings into two fields.

May I ask someone to help me to achieve this?

Thanks in advance!

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

mhornste — Wed, 21 Aug 2019 13:37:18 GMT

marking the interesting lines bold did not work

"(?[^,]),(?[^"])"

the above regex splits the two values already into two fields. ACL should have only Admin or User (without -0 etc.)

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

somesoni2 — Wed, 21 Aug 2019 13:48:47 GMT

Try this

EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),"(?<label>[^,]*),(?<ACL>[^-"]*)(-\d+)*",(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

mhornste — Wed, 21 Aug 2019 14:10:36 GMT

Hi,

thanks, that worked! There is one small issue left: the label field sometimes still has the ACL (Admin/ User) left. See result of the new indexed data below:

Screenshot result

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

mhornste — Wed, 21 Aug 2019 14:21:01 GMT

https://imgur.com/a/pktkt3s

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

somesoni2 — Wed, 21 Aug 2019 15:25:37 GMT

Try this

EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),"(?<label>[^,]+),(?<ACL>[^-"]+)(-\d*)*",(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

Re: change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

mhornste — Thu, 22 Aug 2019 07:34:54 GMT

That worked, thanks so much!